ssl-trust-default-ca

From: Aaron D. Ball <adb_at_broad.mit.edu>
Date: Wed, 01 Oct 2008 19:56:26 -0400

Has anyone used ssl-trust-default-ca successfully? I'm hoping to be
able to add our organization's CA cert to /etc/ssl/certs so that users
don't get asked whether to accept the SSL cert for our Subversion server.

Things that work (i.e., SVN server cert is accepted automatically):

Subversion with the ssl-authority-files option set
openssl s_client with -CApath

Things that don't work:

Subversion with ssl-trust-default-ca set (and not ssl-authority-files)
openssl s_client without -CApath

I'm not too familiar with the OpenSSL libraries, but looks from this patch

http://www.mail-archive.com/openssl-dev@openssl.org/msg23045.html

like it's left up to the application to specify the default CA locations
with SSL_CTX_load_verify_locations(), and Subversion doesn't do that;
so I'm left wondering if this config option works at all, or if I'm just
doing something dumb.

(ssl-authority-files would work if I only cared about making this work
for our organization, but it would be much better if users had the same
experience for any SVN repository that had a proper certificate chain
leading back to well-known root certificates---e.g., we could add the VA
Linux cert and everything at Sourceforge would work.)

-- 
Aaron D. Ball <adb_at_broad.mit.edu>
Senior Systems Analyst
Broad Institute of MIT and Harvard
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org

Received on 2008-10-02 01:56:49 CEST

This message: [ Message body ]
Next message: Langel, Frank: "Restore of directory from repository does not remove local, unversioned file"
Previous message: Ryan Schmidt: "Bug: log-police.py and python 3.0rc1"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]